| Forum Home | ||||
| Press F1 | ||||
| Thread ID: 85813 | 2007-12-23 01:37:00 | My PC is infected by printer.exe and possibly ultimate defender | ineedhelp2008 (13207) | Press F1 |
| Post ID | Timestamp | Content | User | ||
| 623727 | 2007-12-23 01:37:00 | There is a little yellow warning triangle keep saying Windows antivirus. Windows has detected spyware infection! It is recomended to use special antispyware tools to prevent data loss. Windows will now download and install te most up-to-date antispyware for you Click here to protect your computer from spyware! I find C:\window\shell.exe, printer.exe, autorun.exe, wowfx.dll, findfast.exe I think this thing is the same as forums.pcworld.co.nz But the solution in that post does not help. And I am a little different. I can use regedit, task manager, but not control panel. Trojan horse indicates the my task manager, regedit, and control panel is disabled in registry. It said it fixed it , but the same problem appear when I scan it again. Teatimer find a process constantly trying to change my internet startpage every second Here is my hijack this log: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 5:33:37 PM, on 12/22/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16574) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\Acer\Empowering Technology\admServ.exe C:\WINDOWS\eHome\ehRecvr.exe C:\WINDOWS\eHome\ehSched.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\system32\dllhost.exe C:\WINDOWS\system32\igfxpers .exe C:\WINDOWS\system32\igfxtray .exe C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\RTHDCPL.EXE C:\Program Files\Synaptics\SynTP\SynTPEnh .exe C:\Program Files\Common Files\Symantec Shared\ccApp .exe C:\Acer\Empowering Technology\ePower\ePower_DMC .exe C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe C:\WINDOWS\VM_STI .EXE D:\Program Files\D-Tools\daemon.exe C:\PROGRA~1\LAUNCH~1\LManager .exe C:\WINDOWS\system32\lxcrcoms.exe C:\Acer\Empowering Technology\eRecovery\Monitor .exe C:\Program Files\Common Files\Real\Update_OB\realsched .exe C:\WINDOWS\system32\ctfmon.exe C:\DOCUME~1\LAPYIN~1\LOCALS~1\Temp\RtkBtMnt.exe D:\Junk Software\Spybot - Search & Destroy\TeaTimer.exe D:\Junk Software\Nokia\Nokia PC Suite 6\PcSync2.exe C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas .exe C:\WINDOWS\system32\igfxext.exe C:\WINDOWS\system32\wbem\unsecapp.exe C:\WINDOWS\system32\igfxsrvc.exe C:\Documents and Settings\Lap Yin Leung\Start Menu\Programs\Startup\findfast .exe C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = us.rd.yahoo.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = us.rd.yahoo.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = go.microsoft.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = go.microsoft.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = go.microsoft.com R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = us.rd.yahoo.com R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = www.aceradvantage.com R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\ Yahoo! \Companion\Installs\cpn\yt.dll F3 - REG:win.ini: load=C:\WINDOWS\system32\geedd.exe O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\WINDOWS\system32\eDStoolbar.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\ Yahoo! \Companion\Installs\cpn\yt.dll O3 - Toolbar: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\InstallShield\AzMixerSel.exe O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [ntiMUI] C:\Program Files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [ePower_DMC] C:\Acer\Empowering Technology\ePower\ePower_DMC.exe O4 - HKLM\..\Run: [Acer ePower Management] C:\Acer\Empowering Technology\ePower\Acer ePower Management.exe boot O4 - HKLM\..\Run: [LXCRCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCRtim e.dll,_RunDLLEntry@16 O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" O4 - HKLM\..\Run: [BigDogPath] C:\WINDOWS\VM_STI.EXE ZSMC USB PC Camera O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\LManager.exe O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll" O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\Monitor.exe O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s O4 - HKLM\..\Run: [DAEMON Tools-1033] "D:\Program Files\D-Tools\daemon.exe" -lang 1033 O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized O4 - HKLM\..\Run: [Printer] C:\WINDOWS\system32\printer.exe O4 - HKLM\..\RunOnce: [Trojan Remover] "C:\Program Files\Trojan Remover\RMVTRJAN.EXE" /restart2 O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Junk Software\Spybot - Search & Destroy\TeaTimer.exe O4 - HKCU\..\Run: [PcSync] D:\Junk Software\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog O4 - HKCU\..\Run: [Spoolsv] C:\WINDOWS\system32\spoolvs.exe O4 - Startup: findfast.exe O4 - Startup: findfast .exe O4 - Global Startup: autorun.exe O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Pol icies\System, DisableRegedit=1 O8 - Extra context menu item: &D&ownload &with BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddLink.htm O8 - Extra context menu item: &D&ownload all video with BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddVideo.htm O8 - Extra context menu item: &D&ownload all with BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddAllLink.htm O8 - Extra context menu item: &Download All with FlashGet - D:\Program Files\FlashGet\jc_all.htm O8 - Extra context menu item: &Download with FlashGet - D:\Program Files\FlashGet\jc_link.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll O9 - Extra button: BitComet Search - {461CC20B-FB6E-4f16-8FE8-C29359DB100E} - D:\Program Files\BitComet\tools\BitCometBHO_1.1.8.30.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\Program Files\FlashGet\FlashGet.exe O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\Program Files\FlashGet\FlashGet.exe O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - cdn.scan.safety.live.com O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL O20 - AppInit_DLLs: C:\WINDOWS\system32\wowfx.dll O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: AdminWorks Agent X6 (AWService) - Avocent Inc. - C:\Acer\Empowering Technology\admServ.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe O23 - Service: lxcr_device - - C:\WINDOWS\system32\lxcrcoms.exe O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe -- End of file - 12319 bytes I checked geedd.exe, printer.exe, 2 findfast.exe, spoolves.exe, autorun.exe, wowfx.dll and hit "fix checked" but they keep coming back when I scan again Please help Thank you very much |
ineedhelp2008 (13207) | ||
| 623728 | 2007-12-23 01:46:00 | Welcome to Press F1 - the log shows some infections - Windows will now download and install te most up-to-date antispyware for you DONT DO THIS from the windows prompt. Down load from my sig both Spyware Doctor & Spybot S&D, install both, run them. Go to Speedys Sig (pressf1.pcworld.co.nz) down load and update / run Trojan Remover. Speedy is great at Hijack files, not to sure where he is at the moment, but he will be able to tell you what to delete better than me. What Antivirus do you run ? According to the log files you have / Had both Nortons and AVG ?? |
wainuitech (129) | ||
| 623729 | 2007-12-23 01:47:00 | Get rid of Nortons, since u said it expired in PM . Run HJT again tick these entries then tick fix checked Close browser/s . O4 - HKLM\ . . \Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1 . 6 . 0_03\bin\jusched . exe" O4 - HKLM\ . . \Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8 . 0\Reader\Reader_sl . exe" O4 - HKLM\ . . \Run: [Printer] C:\WINDOWS\system32\printer . exe O4 - HKCU\ . . \Run: [Spoolsv] C:\WINDOWS\system32\spoolvs . exe O4 - Startup: findfast . exe O4 - Startup: findfast . exe O4 - Global Startup: autorun . exe O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Pol icies\System, DisableRegedit=1 O20 - AppInit_DLLs: C:\WINDOWS\system32\wowfx . dll Then click on open the misc tools button / delete a file on reboot in HJT . Find and add wowfx . dll,spoolvs . exe,printer . exe, to it . Not sure if it adds more than 1 file or not . But add these . It maybe one file at a time . Then ok, then reboot . See what happens then . |
Speedy Gonzales (78) | ||
| 623730 | 2007-12-23 01:51:00 | Ignore this post - Speedy lived up to his name :thumbs: :lol: | wainuitech (129) | ||
| 623731 | 2007-12-23 02:27:00 | When I click delete a file on reboot in HJT... HJT just closes itself |
ineedhelp2008 (13207) | ||
| 623732 | 2007-12-23 02:31:00 | hey...i just find the file that infect my computer? would that help? I mean the zip file that I opened and get infection...the virus exe file, would that help? |
ineedhelp2008 (13207) | ||
| 623733 | 2007-12-23 03:05:00 | Do what they told you, including getting Spybot and Spyware Doctor as shown in Wainuitechs signature. | pctek (84) | ||
| 623734 | 2007-12-23 04:26:00 | If "delete on reboot" in HJT wont work for you, try booting in safe mode (F8) and see if you can delete them from there. If you use "Search -> find all files/folders" make sure you have "Search system folders" and "Search hidden files and folders" both activated Delete the ones Speedy said - wowfx.dll, spoolvs.exe, printer.exe Also check there is none with these names just in case - if there is delete them too 53261691.DAT 42836685.SVD 26235911.DAT 30074248.SVD 75547737.DLL |
bevy121 (117) | ||
| 623735 | 2007-12-23 06:02:00 | I have used all the software u guys asked me to use. And I run an AVG 7.5 test and it removed some file. Now my teatimer no longer indicates there is program trying to change my internet startpage, but the printer.exe, shell.exe, wowfx.dll, spoolvs.exe, are still there. And I still cannot click "properties" of my computer. I tried to delete files in safe mode..but they come back And To bevy121, I cannot find the files u said. |
ineedhelp2008 (13207) | ||
| 623736 | 2007-12-23 06:33:00 | Did u do this?? Then click on open the misc tools button / delete a file on reboot in HJT. Find and add wowfx.dll,spoolvs.exe,printer.exe, to it. Say Yes after you load all 3 files. Then it'll ask if u want to reboot. Reboot. It doesnt sound like u did. |
Speedy Gonzales (78) | ||
| 1 2 3 4 5 6 7 8 | |||||